ahh, still no reply.
This forum is about as helpful as a kick in the head.
I must report that I have worked around my problems.
Accepting that the Network Manager is broken, and despite this being a LTS, ain't gonna be fixed any time soon, i've resorted to invoking the openvpn command directly.
My next problem to solve is preventing dns leak.
sudo openvpn --client --config /home/xxx/bin/vpn/config/vpn.ovpn --ca /home/xxx/bin/vpn/config/vpn.ca.crt
I had thought to do this via some rules appended to ufw, using the iptables command.
It is fairly complicated, and i'm simply not yet up to the task. But I will continue to learn it, as it is definitely a good thing to understand it.
However, I came across a post by someone which suggested I add some lines to my VPN configuration file.
I also don't understand those lines, though I will (when I get time) research it.
Unless it is a freak coincidence, it seems to have done the trick.
I prepended the following lines to the vpn.ovpn file:
I was setting this up on debian just now, and it wouldn't work.
It seems I came across a problem that one would also see on Ubuntu.
Apart from prepending the following lines to the vpn.ovpn file:
I needed to make sure I had installed resolvconf (otherwise I still got a DNS leak).
and no, that is not a typo. It is 'resolvconf' not 'resolveconf' which I first accidentally attempted to install.
sudo apt-get install resolvconf
Now no dns leak.
I also apply some firewall rules which at least prevent non-dns traffic going out should the VPN drop out.
"Assumptions: you are in a 192.168.0.0/16 network and your router is a DHCP server. You have a a physical network interface named eth*. The tun adapter is tun* and the loopback interface is lo."
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT #allow loopback access
iptables -A OUTPUT -d 255.255.255.255 -j ACCEPT #make sure you can communicate with any DHCP server
iptables -A INPUT -s 255.255.255.255 -j ACCEPT #make sure you can communicate with any DHCP server
iptables -A INPUT -s 192.168.0.0/16 -d 192.168.0.0/16 -j ACCEPT #make sure that you can communicate within your own network
iptables -A OUTPUT -s 192.168.0.0/16 -d 192.168.0.0/16 -j ACCEPT
iptables -A FORWARD -i eth+ -o tun+ -j ACCEPT
iptables -A FORWARD -i tun+ -o eth+ -j ACCEPT # make sure that eth+ and tun+ can communicate
iptables -t nat -A POSTROUTING -o tun+ -j MASQUERADE # in the POSTROUTING chain of the NAT table, map the tun+ interface outgoing packet IP address, cease examining rules and let the header be modified, so that we don't have to worry about ports or any other issue - please check this rule with care if you have already a NAT table in your chain
iptables -A OUTPUT -o eth+ ! -d a.b.c.d -j DROP # if destination for outgoing packet on eth+ is NOT a.b.c.d, drop the packet, so that nothing leaks if VPN disconnects
In looking up all the various pages that helped me, and dumping them here (for your convenience) I came across more
Amazing how easy the stuff is to find, once you have the right search strings. But in searching simply for 'dns leak vpn ubuntu or linux', or variations of that, It took a while to find anything that helped me.
Anyway, hopefully, if someone comes across this, having the same problem as I have, they find it helpful.